JP5483754B2 - Software module management apparatus and software module management program - Google Patents

Description

The present invention relates to a software module management apparatus and software module management program for updating software modules for safely updating software modules such as operating systems and application programs.

  Currently, many computing devices are composed of an operating system and a number of updatable software modules for operating the device. Software modules are used for various purposes, and dedicated software modules are developed for each application and used in combination. The software module may be updated when it is necessary to expand functions or improve performance, or when it is necessary to correct defects.

  In such a computing device, an attack that has a defect in a software module and is misused by a person other than the original user is a modern threat. For example, Non-Patent Document 1 discloses a correction of a problem in implementation of an authentication method called “AES-XCBC-MAC”. If this information and the analysis of the modification module modification point are abused, it is found out what kind of input causes the malfunction, and there is a possibility that it may be abused for a computer that has not yet corrected the malfunction.

  Conventionally, when a defect is reported to a trusted organization or developer, a software module that corrects the content is developed, and a new software module is distributed and the content of the defect is released. It was. However, there is a danger that the threat to the computer will increase further if, for example, the problem is exposed before the software module for correcting the problem is distributed.

  In addition, due to the urgent countermeasures, sufficient verification cannot be performed on the corrected software module, and other problems such as problems that induce other defects and defects that are insufficiently corrected are also observed.

  In order to reduce such threats, check whether the distribution of the patch is being performed regularly or by an external instruction, and automatically update the system or notify the user to update by the patch. The system to do is widely used.

“Announce-jp: 1319”, [online], [searched on March 27, 2007], Internet <http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1319>

  However, according to the conventional technology, a new software module in which a defect of an existing software module is corrected is distributed and applied using an automatic update function or the like to cope with the defect. However, an attacker who wants to use the bug will be given an opportunity to analyze the new software module and identify the cause of the bug using the notification that prompts the update. Will facilitate the development of. As a result, a computing device to which a new software module has not been applied is exposed to a threat.

  In addition, from the viewpoint of reducing the risk of damage expansion due to common parts, an attack is also performed when software modules for the same function are supplied from multiple developers or providers (hereinafter collectively referred to as “vendors”). Although the absolute number of devices that can be affected can be reduced, the attack itself is carried out. In addition, there may occur a situation where the correction software module is used without being applied even though the correction is originally required.

  Various software modules are used in computing devices. Among them, software modules provided by other vendors whose functions can be replaced are included. For example, encryption and decryption modules, encoding and decryption modules, communication protocol stacks, XML (Extensible Markup Language) parsers, etc. can be replaced by almost all but the core of the operating system depending on the design of the computing device. is there.

  In the prior art, in order to prevent an attack on a software module in which a problem has occurred, a technique of stopping the use of an application or the software module itself has been used. If the use of the software module is stopped, the target function cannot be used. For this reason, it continues to be used while recognizing the threat, and the problem of damage caused by the attack using the defect and the problem of the software module targeted by the attack are identified by the information, and the damage is caused by the attack of others. The problem remains. These and other problems found in the prior art are addressed by the present invention.

  The present invention has been made in view of such circumstances, and its purpose is to distribute a new software module in which a defect of an existing software module is corrected more safely in a system for selecting a software module according to the application. Then, it is providing the software module management apparatus and software module management program which can update the existing software module safely.

In order to solve the above-described problems, the present invention provides a first software module (for example, in this embodiment) in a terminal device (for example, the encryption client device 150, encryption client device 1100, and computing device 100 in this embodiment). Software module management device for managing software modules when the compromised cryptographic module, software module A) is changed to a second software module (for example, the modified cryptographic module, software module A ′ in the present embodiment) (For example, the cryptographic management server device 350, the cryptographic management server device 1350, and the software module management device 301 in the present embodiment), which is a third software different from the first software module. A storage unit (for example, the cryptographic module DB 353, the cryptographic module DB 1353, and the storage unit 310 in the present embodiment) that stores the module (for example, the alternative module in the present embodiment, the software module B), and the third stored in the storage unit. A first distribution unit that reads the software module, and distributes the read third software module to the terminal device so that the first software module is switched to the third software module to be usable; After the second software module different from the software module is generated, the second software module is distributed to the terminal device, and the third software module is switched to the second software module to be usable. Delivery of 2 A software module management device.

  The present invention is a software module management device that manages software modules when a first software module in a terminal device is changed to a second software module, and stores a selection module that selects a software module A first distribution unit that reads the selection module stored in the storage unit, distributes the read selection module to the terminal device and selects a software module, and a second different from the first software module. A second distribution unit that distributes the second software module to the terminal device after the software module is generated, and switches the software module selected by the selection module from the software module to the second software module; Have It is a software module management apparatus according to claim.

  The present invention is a software module management device that manages software modules when a first software module in a terminal device is changed to a second software module, and stores a selection criterion indicating a criterion for selecting the software module A storage unit that reads out the selection criteria stored in the storage unit, distributes the read selection criteria to the terminal device, and selects a software module based on the selection criteria; After the second software module different from the software module is generated, the second software module is distributed to the terminal device, and the software module selected by the selection module is switched to the second software module to be usable. Second delivery to If a software module managing apparatus characterized by having a.

  According to the present invention, the second distribution unit terminates the use of the software module used next to the first software module after distributing the second software module. Item 4. The software module management device according to any one of Items 3 above.

  The present invention is the software module management apparatus according to any one of claims 1 to 4, wherein the first to third software modules have a function of performing cryptographic processing.

  As described above, according to the present invention, an existing software module can be safely updated.

It is a block diagram which shows the structure of the security information communication system by the 1st reference example of this invention. It is a block diagram which shows the structure of the encryption client apparatus by the 1st reference example of this invention. It is a block diagram which shows the structure of the encryption management server apparatus by the 1st reference example of this invention. It is a block diagram which shows the structure of the security information communication system by the 2nd reference example of this invention. It is a block diagram which shows the structure of the encryption client apparatus by the 2nd reference example of this invention. It is a figure which shows the data structural example of selection DB by the 2nd reference example of this invention. It is a figure which shows the data structural example of encryption module link DB by the 2nd reference example of this invention. It is a figure which shows the data structural example of encryption module DB by the 2nd reference example of this invention. It is a figure which shows the data structural example of key information DB by the 2nd reference example of this invention. It is a figure which shows the data structural example of encryption process DB by the 2nd reference example of this invention. It is a figure which shows the logical structure of the database by the 2nd reference example of this invention. It is a block diagram which shows the structure of the encryption management server apparatus by the 2nd reference example of this invention. It is a block diagram which shows the structure of the software module management apparatus by the 1st Embodiment of this invention. It is a block diagram which shows the structure of the computing device by the 1st Embodiment of this invention. It is a block diagram which shows the structure of the software module which can be updated by the 1st Embodiment of this invention. It is a figure which shows the structure of the security information communication system by the 1st Embodiment of this invention. It is a figure which shows the structure of the computing device by the 1st Embodiment of this invention. It is a figure which shows the example of delivery operation | movement of the correction software module by a prior art. It is a figure which shows the delivery operation example of the correction software module by the 1st Embodiment of this invention. It is a figure which shows the encryption processing operation example of the encryption client apparatus by the 1st reference example of this invention. It is a figure which shows the example of a cryptographic processing flow of the encryption client apparatus by the 1st reference example of this invention. It is a figure which shows the structural example of encryption evaluation DB by the 1st reference example of this invention. It is a figure which shows the structural example of encryption mounting DB by the 1st reference example of this invention. It is a figure which shows the structural example of encryption processing information DB and key information DB by the 1st reference example of this invention. It is a figure which shows the delivery operation example of the encryption package by the 1st reference example of this invention. It is a figure which shows the example of a delivery process flow of the encryption package by the 1st reference example of this invention. It is a figure which shows the encryption processing operation example of the encryption client apparatus by the 2nd reference example of this invention. It is a figure which shows the example of a cryptographic processing flow of the encryption client apparatus by the 2nd reference example of this invention. It is a figure which shows the inquiry process of the optimal encryption by the 2nd reference example of this invention. It is a figure which shows the example of an inquiry process flow of the optimal encryption by the 2nd reference example of this invention. It is a figure which shows the delivery process of the encryption module by the 2nd reference example of this invention. It is a figure which shows the example of a delivery process flow of the encryption module by the 2nd reference example of this invention.

Hereinafter, a system that includes a software module managing apparatus according to an exemplary embodiment of the present invention (that of the cryptographic management server device shown in FIG. 1) (hereinafter, referred to as "the system in the first reference example") will be described with reference to the drawings .

First, the outline of the present system in the first reference example will be described. The system in the first reference example is a system in which a server and a client device are connected, and information encrypted using an encryption module can be transmitted and received between the server and the client device. Here, it is also possible to switch the cryptographic module periodically. As such a cryptographic system capable of switching cryptographic modules, there are several frameworks that can be implemented by each cryptographic vendor by defining an interface independent of the cryptographic method for each cryptographic technique. For example, Microsoft (registered trademark) CryptAPI, Sun (registered trademark) JCA (Java (registered trademark) Cryptographic Architecture) / JCE (Java (registered trademark) Cryptographic Extensions), or Open Group (registered trademark) CDSA (Common Data Security) Architecture).

  In these frameworks, an interface for accessing a cryptographic module is defined for each cryptographic technique such as encryption / decryption, signature generation / verification, and authenticator generation / verification. According to the interface, for example, DES (Data Encryption Standard), An encryption scheme such as AES (Advanced Encryption Standard) can be implemented. Then, at the time of system construction, an encryption or security specialist selects an appropriate encryption method from among the installed encryption methods, and inputs encryption method parameters indicating which encryption method to use into the framework. Thus, the encryption method can be switched.

  When using such a framework, if the security policy for the operation of the application system is changed, it is necessary for a specialist in cryptography and security to select an encryption method suitable for the system again. Face professional resource issues and cost issues. In addition, when a deficiency in an existing encryption method is discovered or a new cipher is announced, it is difficult to smoothly apply a change in the encryption method to an operating system. Furthermore, it is also a difficult problem in the conventional system to realize optimal security when necessary security strength, processing speed, and the like differ depending on the environment where security is performed.

In this system in the first reference example , this problem can be solved in the cryptographic system in which the cryptographic module can be switched.

<First Reference Example >
FIG. 1 is a schematic block diagram showing the configuration of the system in the first reference example of the present invention.

This system in the first reference example includes a cryptographic management server device 350 that transmits a cryptographic package 307 including a cryptographic module 308 and a cryptographic evaluation description file 309, and a cryptographic client device 150 that performs cryptographic processing using the received cryptographic package 307. It consists of. The cryptographic evaluation described in the cryptographic evaluation description file 309 is information in which the reliability, strength, and the like of the cryptographic method of the corresponding cryptographic module 308 are quantified. For example, on the terminal device such as the cryptographic client device 150 These are the security of the installed encryption method, the processing speed of the encryption, and the key length that can be used for encryption.

  The cryptographic management server device 350 includes a cryptographic module DB 353 that stores the cryptographic module 308, a cryptographic evaluation DB 354 that stores the cryptographic evaluation description file 309, a cryptographic management unit 351 that manages the cryptographic module DB 353 and the cryptographic evaluation DB 354, Cryptographic registration unit 355 that registers new information in module DB 353 and cryptographic evaluation DB 354, and cryptographic distribution that reads and transmits the optimal cryptographic package 307 from cryptographic module DB 353 and cryptographic evaluation DB 354 in response to a request from cryptographic client apparatus 150 Part 352.

  The cryptographic client device 150 includes an upper system unit 151 that is an application or middleware that calls and uses a cryptographic function provided by the cryptographic implementation unit 153 via the cryptographic control manager unit 152, and a cryptographic package transmitted from the cryptographic management server device 350. A cryptographic control manager unit 152 that performs reception of 307 and switches cryptographic functions provided from the cryptographic implementation unit 153, a tamper-resistant cryptographic hardware unit 450 that implements cryptographic processing by a main cryptographic method as hardware, and a cryptographic method The cryptographic module 308 that implements the cryptographic module 308 is configured to be executable and usable and includes a cryptographic module 153 that provides a cryptographic function. The cryptographic management server device 350 transmits an appropriate cryptographic package 307 to the cryptographic client device 150 by performing three procedures of initial registration / distribution / update of the cryptographic code based on a request from the cryptographic client device 150.

  Here, the initial encryption registration means that the encryption client device 150 does not have the encryption module 308 and the encryption implementation unit 153 does not exist, and the encryption hardware unit 450 of the encryption client device 150 is used for the usage. The essential cryptographic module 308 is securely transmitted from the cryptographic management server device 350 to the cryptographic implementation unit 153.

The cryptographic distribution means that the cryptographic management server device 350 selects an appropriate cryptographic module 308 or cryptographic package 307 in response to the cryptographic request received from the cryptographic client device 150 and transmits it to the cryptographic client device 150. The encryption request includes condition information regarding encryption. This condition information includes the classification of encryption methods such as encryption and signature generation (encryption category), the manufacturer that created the encryption module 308, the hardware information on which the encryption module 308 operates, and the evaluation information of the encryption. The cryptographic evaluation information may be handled as a cryptographic evaluation description file 309 as a file independent of the cryptographic module 308 as in this reference example.

  The update of the cipher means registering a new cipher module 308, deleting the corresponding cipher module 308 using a compromised cipher system, or discovering a bug in the cipher module 308 and the existing cipher module 308 and its cipher. The cryptographic module DB 353 and the cryptographic evaluation DB 354 on the cryptographic management server device 350 are updated when the cryptographic implementation unit 153 in which the module 308 is executed is updated, or when the cryptographic evaluation is changed as the processing speed of the computer increases. And updates the information stored in the encryption package 307 periodically to the encryption client device 150 or based on a request from the encryption client device 150, and the encryption management server device 350 can transmit a new cryptographic module 308, and an existing cryptographic implementation unit 153 can operate. It is to notify that it is now clause.

  FIG. 2 is a detailed configuration diagram of the encryption client device 150. The cryptographic control manager unit 152 includes a cryptographic processing control unit 156 having a cryptographic processing information DB 157, a cryptographic module DB 164, a cryptographic evaluation DB 163, a cryptographic module selection policy 158, and a hardware profile 160. A key information management unit 162 having a key information DB 165, an access control policy 161 in which an access control policy to the key information DB 165 is described, a cryptographic management unit 166 having a cryptographic control manager policy 167, a cryptographic hardware unit 450, It comprises a cryptographic hardware management control unit 170 that performs communication, a communication function 155 that performs communication with the outside, an algorithm negotiation unit 168 that cooperates with the communication function 155, and a secure communication management unit 169 that cooperates with the communication function 155. The

  The cryptographic processing control unit 156 performs key generation processing, key registration processing, and cryptographic processing based on the cryptographic processing call from the higher-level system unit 151.

  In the case of key generation processing, the cryptographic processing control unit 156 uses the cryptographic processing identifier specified when the cryptographic scheme, key length, and cryptographic scheme parameters designated by the higher system unit 151 are registered in the cryptographic processing information DB 157. Control (request / instruction) is performed so that the cryptographic module selection unit 159 selects the cryptographic module 308 corresponding to the scheme.

  The cryptographic process control unit 156 loads the selected cryptographic module 308 onto the memory and causes the cryptographic module implementation unit 153 to execute. The encryption processing control unit 156 extracts the encryption method parameters for key generation corresponding to the designated encryption processing identifier from the key information DB 165 via the key information management unit 162. When the cryptographic processing control unit 156 calls the cryptographic implementation unit 153 with the designated key length and the extracted cryptographic method parameter, the cryptographic implementation unit 153 generates key information. The cryptographic process control unit 156 receives the generated key information. The cryptographic processing control unit 156 registers the key information generated by the cryptographic implementation unit 153 in the key information DB 165 via the key information management unit 162, receives a key identifier corresponding to the key information, and newly issues a cryptographic processing as a processing result. Is stored in the cryptographic processing information DB 157, and the cryptographic processing identifier is returned to the host system unit 151.

  In the case of key registration, the cryptographic processing control unit 156 registers the key information designated by the higher system unit 151 in the key information DB 165 via the key information management unit 162, receives the key identifier, and newly issues the processing result. The association between the cryptographic processing identifier and the key identifier is stored in the cryptographic processing information DB 157, and the cryptographic processing identifier is returned to the host system unit 151.

  In the case of cryptographic processing, it receives condition information related to encryption specified from the higher-level system unit 151, data to be encrypted (plain text), and an identifier of cryptographic processing received when key generation or key registration is performed. Referring to FIG. 4, control is performed so that an appropriate cryptographic module 308 is selected by the cryptographic module selection unit 159, and the selected cryptographic module 308 is loaded onto the memory and executed as the cryptographic implementation unit 153. The key information corresponding to the identifier is extracted from the key information DB 165 via the key information management unit 162, and the designated encryption processing target data and the extracted key information are input to the called cryptographic implementation unit 153 and processed correspondingly. Encryption processing is performed, and the association between the newly issued cryptographic processing identifier and the key identifier is processed as a processing result. Save to broadcast DB157, it returns the identifier of the encryption process. By associating the key information used in the cryptographic process with the identifier of the cryptographic process, the cryptographic process can be easily re-executed and decrypted.

  The cryptographic module DB 164 is a storage unit that stores the cryptographic module 308 received from the cryptographic management server device 350.

  The cryptographic evaluation DB 354 is a storage unit that stores the cryptographic evaluation description file 309 received from the cryptographic management server device 350.

  The cryptographic module selection unit 159 displays cryptographic condition information such as cryptographic category such as encryption and signature generation, manufacturer of the cryptographic module 308, hardware information on which the cryptographic module 308 operates, and cryptographic evaluation information. Based on the input from the host system unit 151, the most appropriate cryptographic module 308 is selected from the cryptographic modules 308 stored in the cryptographic module DB 164. In selecting the cryptographic module 308, the cryptographic module 308 is selected from those suitable for the hardware profile 160 describing the hardware information of the cryptographic client device 150, and the cryptographic module selection describing the policy of the user who uses the cryptographic client device 150 is selected. Also follow policy 158.

  The hardware profile 160 is information including information such as the CPU architecture, CPU clock, and amount of installed memory of the encryption client device 150, for example. The encryption module selection policy 158 includes, for example, a condition that the user wants to prioritize when there are a plurality of ciphers selected according to the input condition, a cipher manufacturer that the user wants to use preferentially, and an encryption method that the user wants to prohibit use It is information including.

  As described above, the cryptographic module selection unit 159 selects the cryptographic module 308 that matches the input information with reference to the input information from the host system unit 151, the hardware profile 160, and the cryptographic module selection policy 158. When the cryptographic module selection unit 159 uniquely selects the cryptographic module 308, the selected cryptographic module 308 is extracted from the cryptographic module DB 164. The cryptographic module selection unit 159 outputs an error if the cryptographic module 308 cannot be uniquely selected.

  The key information management unit 162 stores or reads data in the key information DB 165 such as key information and encryption method parameters specified when calling the cryptographic implementation unit 153. If the specified key information or encryption method parameter information is not one, the key information management unit 162 performs association so that a plurality of pieces of information can be extracted together and registers them in the key information DB 165. The key information management unit 162 controls access to key information from a plurality of higher-level system units 151 according to the encryption module selection policy 158 when extracting key information and encryption method parameters from the key information DB 165.

  The key information management unit 162 determines the validity of the credential based on the credential (access key, password, etc.) designated by the higher system unit 151, the key identifier to be accessed, and the cryptographic processing identifier associated with the key identifier. To verify. The key information management unit 162 determines whether access is possible based on the access control policy 161 describing the key information of the key information DB 165 accessible to the owner of the credential. The corresponding key identifier is extracted from the key information DB 165, key information and encryption method parameters corresponding to the key identifier are extracted, and this is returned to the upper system unit 151. On the other hand, if the access is impossible, an error is returned to the upper system unit 151.

  The cipher management unit 166 communicates with the cipher management server device 350 via the communication function 155, and receives the cipher package 307 and the like according to the initial cipher registration / distribution / update procedure. When the cryptographic management unit 166 receives the cryptographic package 307 and the like from the cryptographic management server device 350, the cryptographic management unit 166 performs processing according to the content of the cryptographic control manager policy 167. The contents of the encryption control manager policy 167 are, for example, the following five. The first is whether or not server authentication can be performed in communication with the encryption management server device 350. The second is whether or not encryption is possible when the cryptographic package 307 or the like is received from the cryptographic management server device 350. The third is whether or not a falsification detector (MAC (Message Authentication Code)) can be added when the cryptographic package 307 or the like is received from the cryptographic management server device 350. The fourth is whether or not verification of the received authenticator such as the cryptographic package 307 can be performed. The fifth is setting information related to periodic update indicating whether or not the cryptographic package 307 stored in the cryptographic evaluation DB 163 and the cryptographic module DB 164 can be periodically updated, update frequency, and the like.

  The cryptographic hardware management control unit 170 communicates with the cryptographic hardware unit 450, and receives the cryptographic package 307 from the cryptographic management server device 350 according to the procedure of initial encryption registration. When the cryptographic package 307 is received, if the cryptographic package 307 is encrypted, the cryptographic hardware unit 450 decrypts the cryptographic package 307. Further, when it is detected that a tamper detector is added to the cryptographic module 308, the cryptographic hardware unit 450 detects whether the cryptographic module 308 has been tampered with.

  The algorithm negotiation unit 168 cooperates with the communication function 155 to arbitrate between the encryption method used for establishing the communication session and the encryption method used for the communication session before establishing a secure communication session between the two encryption client devices. Do. When mediating the encryption method, mediation can be performed by one of the following four mediation methods.

  In the first arbitration method, the algorithm negotiation unit 168 determines the encryption method unilaterally only from the encryption method group provided by the encryption module 308 stored in its own encryption module DB 164. The own algorithm negotiation unit 168 determines the encryption evaluation DB 163 and the encryption from the classification information (encryption category) of one or more encryption methods designated by the higher system unit 151, the encryption control manager policy, the hardware profile, and the encryption condition information. An appropriate encryption module 308 is selected with reference to the module DB 164, and an encryption method is determined. When a plurality of encryption method classifications are designated, selection is made for each encryption method classification to determine the encryption method.

  At this time, the algorithm negotiation unit 168 performs the procedure for distributing the cipher by referring to the condition information regarding the designated cipher when the cipher method classification whose cipher method is undecided is designated from the upper system unit 151. The cryptographic module 308 is received from the cryptographic management server device 350, and the cryptographic scheme of the cryptographic module 308 is the result. If it is still undecided, the algorithm negotiation unit 168 returns an error to the upper system unit 151.

  When the algorithm negotiation unit 168 determines the encryption method, the encryption method arbitration method number, the classification and encryption method of the output encryption method are sent to the destination of the other party's encryption control manager unit 152 designated by the higher system unit 151. Information on the correspondence group of methods and whether or not the encryption module 308 can be received from the encryption management server device 350 is transmitted. The other party's encryption control manager 152 searches the encryption evaluation DB 163 and the encryption module DB 164 for possession of the encryption module 308 of the specified encryption method, and the appropriate encryption module 308 for all encryption methods is found. If it exists, a reply indicating that communication is possible is performed.

  If there is a cryptographic module 308 that does not exist, the other party's cryptographic control manager unit 152 performs processing in accordance with the information regarding whether or not it can be received from the cryptographic management server device 350. That is, if reception is possible, the encryption module 308 for the encryption method is received according to the encryption distribution procedure, and a reply indicating that communication is possible is performed after the reception is completed. If reception is not possible or if the appropriate cryptographic module 308 cannot be received even if reception is possible, a reply indicating that communication is impossible is performed. The own encryption control manager unit 152 transfers the reply from the other party's encryption control manager unit 152 to the host system unit 151.

  In the second arbitration method, the other party's encryption control manager unit 152 determines the encryption method unilaterally only from the encryption method group held by the other party's encryption control manager unit 152. This is a symmetric process to the first arbitration method and the same procedure.

  In the third arbitration method, the encryption control manager unit 152 of itself determines a common encryption method from the encryption method group held by both encryption control manager units 152.

  The algorithm negotiation unit 168 of the encryption control manager unit 152 of its own uses one or more encryption method classifications (encryption categories) designated by the higher-level system unit 151, and the encryption of the other party from the destination of the other party's encryption control manager unit 152. The encryption method arbitration method number and the encryption method classification are transmitted to the control manager unit 152. The other party's encryption control manager unit 152 selects all corresponding encryption modules 308 by referring to the encryption evaluation DB 163 and the encryption module DB 164 from the received encryption method classification and hardware profile, and all the selected encryption modules 308 Create a list of corresponding encryption methods.

  At this time, when a plurality of encryption method classifications are designated, the other party's encryption control manager unit 152 selects the encryption module 308 for each encryption method classification and creates an encryption method list. The other party's encryption control manager unit 152 transmits to the encryption control manager unit 152 its own encryption method list for each encryption method classification. The own encryption control manager unit 152 that has received the encryption method list for each encryption method classification includes one or more encryption method classifications (encryption categories), encryption control manager policy, and hardware specified by the host system unit 151. From the profile and encryption condition information, an appropriate cryptographic module 308 is selected with reference to the cryptographic evaluation DB 163 and the cryptographic module DB 164, and the cryptographic method is determined from the selected cryptographic module 308.

  At this time, if a plurality of encryption method classifications are designated, the encryption control manager unit 152 selects each encryption method classification and determines the encryption method. For example, in the following case, it is assumed that the encryption method for the encryption method classification is determined. First, the encryption method selected by its own encryption control manager unit 152 exists in the encryption method list. Next, when the encryption control manager unit 152 has the encryption module 308 corresponding to one of the encryption methods received in the encryption method list. In other cases, the encryption method for the encryption method classification is undecided.

  When there is an undetermined classification of cryptographic schemes, the cryptographic control manager unit 152 designates one of the received cryptographic scheme lists and receives the cryptographic module 308 from the cryptographic management server device 350 according to the cryptographic distribution procedure. . The encryption control manager unit 152 repeats the same processing for all the encryption methods in the encryption method list until the corresponding encryption module 308 can be received. If it is still undecided, the cipher system relating to the classification of the corresponding cipher system is not yet decided. When the above-described processing is completed for all the encryption method classifications, the encryption method determination / undecided for all encryption method classifications is transmitted to the encryption control manager unit 152 of the other party.

  In the fourth arbitration method, an encryption method common to the other encryption control manager unit 152 is determined from the encryption method group held by both encryption control manager units. This is a symmetric process and the same procedure as in the third arbitration method.

  The algorithm negotiation unit 168 performs arbitration using one of the above four arbitration methods.

  The secure communication management unit 169 cooperates with the communication function 155 to establish a secure communication session with another encryption client device 150. When the secure communication management unit 169 establishes a secure session, the algorithm negotiation unit 168 determines the encryption method to be used in the communication session construction and the encryption method to be used in the communication session, and then determines the session key. Share. After the secure communication session is established, an authentication code for encrypting communication data and preventing tampering of communication data can be added using the session key according to the determined encryption method. In addition, the secure communication management unit 169 can hold the communication session so that the communication session once established can be reused within a certain period of time.

  The secure communication management unit 169 transmits a secure connection request to the destination of the communication partner designated by the higher system unit 151 and notifies the start of secure connection. Next, the secure communication management unit 169 establishes a secure connection according to the encryption method classification determined by the algorithm negotiation unit 168 in advance. Examples of encryption method classifications include authentication, key sharing, common key information encryption (stream encryption or block encryption), public key encryption, data authentication (MAC authentication or signature authentication), and pseudorandom number generation (stream encryption and public key). There are classifications such as session key derivation, MAC key derivation (only for MAC authentication), and the like. The secure communication management unit 169 performs authentication processing when authentication is required for secure connection.

  Next, the secure communication management unit 169 performs key sharing by key sharing processing and establishes a secure session. However, the key sharing process is not performed when the public key cryptosystem is arbitrated. When performing encrypted communication without public key encryption, create a session key from the shared key by the session key derivation method, encrypt the data to be transmitted according to the common key information encryption method, and send the encrypted data to the other party. Send. The communication partner creates a session key by the same method, and decrypts the received data according to the common key information encryption method.

  When performing encrypted communication with public key encryption, the secure communication management unit 169 creates a random session key according to the pseudo-random number generation method, and encrypts data to be transmitted with the session key according to the common key information encryption method. The public key of the communication partner is received from the trust organization, the session key itself is encrypted with the public key of the communication partner in accordance with the public key cryptosystem, and the encrypted data and the encrypted session key are transmitted to the partner. The communication partner decrypts the encrypted session key with its own secret key, and decrypts the data received with the session key in accordance with the common key information encryption method.

  In the case of performing communication with a data authenticator and performing MAC authentication, the secure communication management unit 169 creates a MAC key from the shared key by the MAC key derivation method, and adds the MAC data to the data to be transmitted according to the MAC authentication method. Append and send data with MAC to the other party. The communication partner creates a MAC key by the same method, and verifies the MAC of the received data according to the MAC authentication method.

  In the case of performing communication with a data authenticator and signature authentication, the secure communication management unit 169 adds a signature with its own private key and transmits the signed data to the other party. The other party receives the other party's public key from the trust organization with which the other party's public key is registered, verifies the validity of the other party's public key, and if the verification ends correctly, the other party's public key is disclosed according to the signature authentication method. Verify signed data received with the key.

  FIG. 3 is a detailed configuration diagram of the encryption management server device 350. The cryptographic management server device 350 includes a cryptographic module DB 353, a cryptographic evaluation DB 354, a cryptographic management unit 351 that performs processing such as reading and updating information stored in the cryptographic module DB 353 and the cryptographic evaluation DB 354, a cryptographic module DB 353, and a cryptographic module. An encryption registration unit 355 that registers information in the evaluation DB 354 and an encryption distribution unit 352 that transmits encryption to the encryption client device 150 are configured.

  The cryptographic module DB 353 is a database that stores the cryptographic module 308 stored in advance or input by the user.

  The cryptographic evaluation DB 354 is a database that stores a cryptographic evaluation description file 309 that is stored in advance or input by the user.

  The cryptographic management unit 351 searches the cryptographic module DB 353 and the cryptographic package 307 stored in the cryptographic module DB 353 and the cryptographic evaluation DB 354 for the user of the cryptographic management server device 350, displays the contents of the cryptographic evaluation unit, and manages the encryption An interface for performing list display, updating existing ciphers, deleting existing ciphers, registering new ciphers, and starting / terminating cipher distribution units. The cipher management unit 351 requests the cipher registration unit 355 to register a new cipher.

  The encryption registration unit 355 includes an encryption package registration unit 357 and a composite type description generation unit 358.

  The cryptographic distribution unit 352 includes a cryptographic package distribution control unit 359, a cryptographic package distribution configuration unit 370 having a distribution policy 371, and a distribution cryptographic module selection unit 360 having a distribution policy 371.

  The cryptographic package distribution control unit 359 interprets a request from the cryptographic client device 150 and executes a standby service that performs three procedures of initial registration, distribution, and update of encryption. In addition, this standby service records a log of processing contents.

  The distributed cryptographic module selection unit 360 selects a cryptographic module 308 suitable for distribution based on the three procedures of initial encryption registration / distribution / update and a request from the cryptographic client device 150. In the case of initial registration of encryption, the encryption module 308 to be distributed is an encryption method described in the distribution policy 371, which is indispensable for use.

  In the cryptographic package distribution configuration unit 370, the cryptographic module 308 and the cryptographic evaluation description file 309 corresponding to the cryptographic module 308 are encrypted according to the distribution policy 371 based on the cryptographic module 308 selected by the distributed cryptographic module selection unit 360. A configuration process is performed to obtain a form that can be distributed as 307. In the distribution policy 371, for example, the following four items are described.

  The first item is whether encryption is possible when the cryptographic package 307 is distributed. The second item is an encryption method for encryption of the encryption package 307. The third item is whether or not an alteration detector can be added when the cryptographic package 307 is distributed. The fourth item is the encryption method of the alteration detector of the encryption package 307.

  In the configuration process performed by the cryptographic package distribution configuration unit 370, the content stored in the cryptographic evaluation DB 354 is generated in a specific format as the cryptographic evaluation description file 309, and the cryptographic management server device 350 distributes the cryptographic package 307 for authorization. Then, an authenticator is added, and the cryptographic module 308 and the cryptographic evaluation description file 309 are paired and combined into a cryptographic package 307.

  In addition, the cryptographic package distribution configuration unit 370 may combine a plurality of cryptographic modules 308 and a cryptographic evaluation description file 309 corresponding to each cryptographic module 308 into a single cryptographic package. Further, in the configuration process performed by the cryptographic package distribution configuration unit 370, the encryption of the cryptographic package 307 and the addition of a falsification detector are added in accordance with the cryptographic control manager policy of the cryptographic client device 150 and the distribution policy 371 of the cryptographic management server device 350. Perform key generation and key management.

Here, according to the first reference example of the present invention, the cryptographic processing control unit 156 selects an optimal cryptographic module and executes cryptographic processing in response to the cryptographic processing request from the upper system unit 151 in the cryptographic client device 150. The cryptographic processing operation for outputting the cryptographic processing result to the host system unit 151 will be described. FIG. 20 is a diagram showing an example of the cryptographic processing operation of the cryptographic client apparatus according to the first reference example of the present invention. FIG. 21 is a diagram showing an example of an encryption processing flow of the encryption client device according to the first reference example of the present invention. FIG. 22 is a diagram showing a configuration example of the encryption evaluation DB according to the first reference example of the present invention. FIG. 23 is a diagram showing a configuration example of a cryptographic implementation DB according to the first reference example of the present invention. FIG. 24 is a diagram showing a configuration example of the encryption processing information DB and the key information DB according to the first reference example of the present invention.

  The support mode is information such as an operation mode of the common key encryption and a supported standard name. For example, the ECDSA method supports SECG SEC1 v1.0. The cryptographic evaluation description file ID (cryptographic processing) in the cryptographic processing information DB is a cryptographic evaluation description file ID corresponding to the cryptographic module used for the cryptographic processing. The cryptographic evaluation description file ID (key generation) in the cryptographic processing information DB is the cryptographic evaluation description file ID associated when the cryptographic key used for the cryptographic processing is additionally registered in the cryptographic processing DB 157, or This is a cryptographic evaluation description file ID corresponding to the cryptographic module used when the key is generated by the cryptographic control manager unit 152.

An example of the cryptographic processing operation of the cryptographic client device according to the first reference example of the present invention will be described below. The host system unit 151 requests cryptographic processing from the cryptographic processing control unit 156 by receiving cryptographic processing request information including the data to be cryptographic processed and the identifier of the cryptographic processing category (step S1). The cryptographic processing control unit 156 requests the key information management unit 162 for key information corresponding to the cryptographic processing request information from the host system unit 151 (step S2). The key information management unit 162 acquires the key information from the key information DB 165 and outputs it to the encryption processing control unit 156 (step S3).

  The cryptographic process control unit 156 inputs the cryptographic process request information from the higher-level system unit 151 to the cryptographic module selection unit 159 and requests the selection of the optimal cryptographic module (step S4). The cryptographic module selection unit 159 reads the hardware profile 160 and the cryptographic module selection policy 158. The cryptographic evaluation standard file in the cryptographic evaluation DB is read as appropriate, and the optimal cryptographic module for the cryptographic processing is selected. The cryptographic module selection unit 159 outputs a selection result including the cryptographic evaluation description ID corresponding to the selected cryptographic module to the cryptographic processing control unit 156 (step S5).

  If the selected cryptographic module does not exist in the cryptographic client device 150, the cryptographic processing control unit 156 outputs an error to the upper system unit and completes the processing (steps S6 and S11). If the selected cryptographic module is present in the cryptographic client device 150, the cryptographic processing control unit 156 loads the cryptographic module selected by the cryptographic module selection unit 159 into the memory as the cryptographic implementation unit 153.

  The cryptographic processing control unit 156 inputs the key information and cryptographic processing target data output from the key information management unit 162 and requests the cryptographic implementation unit 153 to perform cryptographic processing (steps S6 and S7). The cryptographic implementation unit 153 outputs the cryptographic processing result for the cryptographic processing target data to the cryptographic processing control unit 156 (step S8).

  The cryptographic processing control unit 156 issued the cryptographic processing execution environment information including the key information obtained from the key information management unit 162 and the selection result information obtained from the cryptographic module selection unit 159 to the cryptographic processing. The cryptographic processing ID is associated and registered in the cryptographic processing information DB as cryptographic processing condition information (step S9). The cryptographic process control unit 156 outputs cryptographic process result information including the cryptographic process ID and the cryptographic process result data for the cryptographic process target data to the upper system unit 151 (step S10).

When there is no cryptographic module optimal for the cryptographic processing request from the higher-level system unit 151 or the cryptographic management domain and the security policy of the cryptographic client device 150 in the cryptographic client device 150, a cryptographic including the cryptographic module and the corresponding cryptographic evaluation description file The package is acquired from the encryption management server device 350. FIG. 25 is a diagram showing an example of the distribution operation of the cryptographic package according to the first reference example of the present invention. FIG. 26 is a diagram showing an example of the distribution processing flow of the cryptographic package according to the first reference example of the present invention.

  The encryption client device 150 acquires the encryption package from the encryption management server device 350 as follows. The host system unit 151 requests the cryptographic management unit 166 to acquire a cryptographic package that is lacking in the cryptographic client device 150 (step S21). The cryptographic management unit 166 transmits the cryptographic package distribution request information including the hardware profile of the cryptographic client device 150 to the cryptographic management server device 350 using the communication function 155 (step S22).

  The cryptographic package distribution control unit 359 receives the cryptographic package distribution request information from the cryptographic client device 150 through the communication function 356 (step S23). The cryptographic package distribution control unit 359 requests the distribution cryptographic module selection unit 360 to select the optimal cryptographic module for the distribution request from the cryptographic client device 150 (step S24). The distribution cryptographic module selection unit 360 selects the optimal distribution cryptographic module for the request based on the selection input information including the cryptographic package distribution request information from the cryptographic client device 150 and the cryptographic evaluation description file of the cryptographic evaluation DB 354, and selects the selected cryptographic module. The result is output to the cryptographic package delivery control unit 359 (step S25).

  The cryptographic package distribution control unit 359 requests the cryptographic package distribution configuration unit 370 to create distribution cryptographic package information using the selection result information in step S25 (step S26). The cryptographic package distribution configuration unit 370 uses the cryptographic module DB and the cryptographic evaluation DB to convert the cryptographic package 307 including the cryptographic module 308 and the cryptographic evaluation description file 309 according to the distribution package information creation request in step S26 into the cryptographic package distribution control unit. It outputs to 359 (step S27).

  The encryption package distribution control unit 359 transmits the encryption package information including the encryption package 307 to the encryption client device 150 using the communication function 356 (step S28). The cryptographic management unit 166 receives the cryptographic package information from the cryptographic management server device 350 through the communication function 155 (step S29).

  The cryptographic management unit 166 performs evaluation of cryptographic package information including qualifier verification of the cryptographic evaluation description file 309. If the evaluation does not satisfy the condition for continuing the processing, an error is notified to the encryption management server device 350 and the host system 151, and the processing is terminated. If the condition is satisfied, the cryptographic module 308 and the cryptographic evaluation description file 309 are decomposed from the cryptographic package information and registered in the cryptographic module DB 164 and the cryptographic evaluation DB 163. The cipher management unit 166 notifies the cipher management server device 350 of the completion result using the upper system unit 151 and the communication function 155 (step S30). The cryptographic package delivery control unit 359 receives the completion notification from the cryptographic client device 150 through the communication function 356, and executes the completion processing of processing including communication disconnection (step S31).

  When the selected cryptographic module does not exist in the cryptographic client device 150, the cryptographic processing control unit 156 distributes the missing cryptographic module from the cryptographic management server device 350 to the cryptographic management unit 166 without passing through the upper system unit 151. You may cooperate automatically within the encryption control manager part 152. FIG. If the evaluation of the cryptographic package information distributed from the cryptographic management server device 350 does not satisfy the conditions for continuing the processing, the processing is not terminated due to an error, but the redistribution processing based on the error content is continuously performed to the cryptographic management server device 350 You may request.

<Second Reference Example >
In the first reference example , the case where the encryption client apparatus processes the selection of the optimal encryption method has been described. However, in the second reference example , the encryption management server apparatus leads the selection of the optimal encryption method. That is, a system comprising the cryptographic management server device 1350, the plurality of cryptographic client devices 1100, and the cryptographic hardware 450 corresponding to the cryptographic client device 1100 shown in FIG. 4 (hereinafter referred to as “the system in the second reference example ”). In the server strong cooperation mechanism, the module selection policy storage unit 110 manages and utilizes the result information of the encryption method selected by the encryption management server device 1350. In particular, when the calculation capability of the module selection policy storage unit 110 is poor, the cryptographic management server device 1350 can support the calculation, thereby improving the response performance in the cryptographic client device 1100.

Specifically, the cryptographic management server device 1350 selects the optimal cryptographic module 308 for the request from the higher system unit 1151, and the cryptographic control manager unit 1152 of the cryptographic client device 1100 receives the result, The relationship with the optimal cryptographic module 308 is managed by the cryptographic information storage unit 1600 in the apparatus. The cryptographic control manager unit 1152 performs processing according to the cryptographic processing control request from the higher system unit 1151 based on the relationship between the request from the higher system unit 1151 and the cryptographic module 308 that is optimal for this request. Therefore, unlike the first reference example , the encryption client device 1100 does not necessarily require management of the encryption package 307 and reception of the encryption management server device 1350, which are necessary for selecting all the encryption modules 308 and the encryption module 308. And not.

FIG. 4 is a block diagram showing a schematic configuration of the present system in the second reference example of the present invention. The system according to the second reference example includes one or more cryptographic client devices 1100, one or more cryptographic hardware 450, and a cryptographic management server device 1350. The cryptographic hardware 450 is the same as that in the first reference example . Here, a plurality of cryptographic hardware 450 may be connected to one cryptographic client apparatus 1100. Further, the cryptographic hardware 450 may be mounted inside the cryptographic client device 1100.

FIG. 5 is a block diagram illustrating a configuration of the encryption client device 1100. The cryptographic client device 1100 includes a higher system unit 1151, a cryptographic control manager unit 1152, a cryptographic implementation unit 1153, and a communication function 1155. The selection policy 1158 is a file in which priority information regarding safety, processing speed, and resources is set. The upper system unit 1151 and the cryptographic implementation unit 1153 have the same configuration and function as in the first reference example .

  The cryptographic control manager unit 1152 includes a cryptographic processing control unit 1156, a key management unit 1162, a cryptographic information storage unit 1600, a cryptographic package management unit 1166, and a cryptographic hardware management control unit 1170.

  The cryptographic processing control unit 1156 has a function of receiving a cryptographic processing control request including a cryptographic processing condition from the host system unit 1151, and a function of specifying the cryptographic implementation unit 1153 associated with the cryptographic processing condition with reference to the cryptographic information storage unit 1600 A function for requesting cryptographic processing to the cryptographic implementation unit 1153 according to the cryptographic processing execution timing, a function for issuing a cryptographic processing ID for the cryptographic processing and associating it with information related to the cryptographic processing and storing it in the cryptographic information storage unit 1600, It has a function of outputting the cryptographic processing result from the cryptographic implementation unit 1153 and the cryptographic processing ID related to the cryptographic processing to the upper system unit 1151.

  In accordance with a request from the host system unit 1151, the key management unit 1162 has a function of performing registration, deletion, acquisition, search, and update processing of key information in the key information DB 1165 of the encryption information storage unit 1600 and normal registration of the encryption key. A function of issuing a key ID and associating it with information related to the registration process and storing it in the cryptographic information storage unit 1600, and each processing result including the cryptographic process ID and the key ID depending on the case. It has a function to output to.

  The encryption information storage unit 1600 has a function of storing a selection DB 1601, an encryption module link DB 1602, an encryption module DB 1603, a key information DB 1165, and an encryption processing DB 1604. The cryptographic information storage unit 1600 may have a function of controlling and managing each DB included in the cryptographic information storage unit 1600 in accordance with requests from the key management unit 1162, the cryptographic processing control unit 1156, and the cryptographic package management unit 1166. .

  The data structure of the selection DB 1601 is as shown in FIG. The data structure of the cryptographic module link DB 1602 is as shown in FIG. The data structure of the cryptographic module DB 1603 is as shown in FIG. The data structure of the key information DB 1165 is as shown in FIG. The data structure of the encryption processing DB 1604 is as shown in FIG. FIG. 11 shows the logical relationship between the databases included in the encryption information storage unit 1600.

  The cryptographic package management unit 1166 has the functions described below.

  First, the cryptographic package management unit 1166 selects the information including the selection condition, the selection policy, and the hardware profile input from the upper system unit 1151 and transmits the information to the cryptographic management server device 1350 via the communication function 1155. It has a function of registering the algorithm ID, encryption evaluation description ID, encryption module ID, and recommended key length information of the encryption package 307 in the encryption information storage unit 1600.

  The cryptographic package management unit 1166 has a function of identifying the selection DB 1601 based on the selection condition input from the higher system unit 1151 and identifying the algorithm ID of the key generation engine corresponding to the encryption algorithm.

  The cryptographic package management unit 1166 has a function of registering the algorithm ID, cryptographic evaluation description ID, and cryptographic module ID of the key generation engine selected by the cryptographic management server device 1350 in the cryptographic information storage unit 1600.

  Also, the cryptographic package management unit 1166 receives the final initial registration date and time and the final initial registration domain as input to the cryptographic management server device 1350 via the communication function 1155 based on the request input from the higher system unit 1151. , And the minimum necessary encryption package 307 is downloaded from the encryption management server device 1350 and registered in the encryption information storage unit 1600.

  Also, the cryptographic package management unit 1166 receives information including a selection condition, selection policy, hardware profile, and a list of cryptographic packages 307 held in the terminal input from the host system unit 1151 via the communication function 1155. 1350, the entity of the cryptographic package 307 selected by the cryptographic management server device 1350 and its accompanying information (algorithm ID, cryptographic evaluation description ID, cryptographic module ID) are obtained and registered in the cryptographic information storage unit 1600 Has function.

  Also, the cryptographic package management unit 1166 has a function of registering the notification destination of the update notification from the cryptographic management server device 1350 and setting the policy of the action performed by the cryptographic control manager unit 1152 when an update event occurs.

  Also, the cryptographic package management unit 1166 performs cryptographic control in cooperation with the cryptographic management server device 1350 via the communication function 1155 based on the content requested from the upper system unit 1151 and the last update notification identifier held in the cryptographic control manager unit 1152. The manager unit 1152 has a function of executing update processing for the entity of the encryption package 307, the selection policy of the encryption package 307, and the association of the encryption package 307.

  Also, the cryptographic package management unit 1166 deletes the entity of the cryptographic package 307 requested from the higher system unit 1151 from the cryptographic information storage unit 1600 and each database included in the cryptographic information storage unit 1600 associated with the cryptographic package 307 Has the function to cancel the association.

  Also, the cryptographic package management unit 1166 receives the information including the migration destination domain information, the hardware profile, and the list of the cryptographic packages 307 held in the device, which are input from the higher system unit 1151, via the communication function 1155. The encryption management server device 1350 has a function of acquiring encryption package information to be taken out and subject to take-out restriction and deleting the encryption package 307 to be stored in the encryption client device 1100.

  The cryptographic hardware management control unit 1170 has a function of controlling communication with the cryptographic hardware via the communication function 1155 in response to a request from each unit of the cryptographic control manager unit 1152.

  The communication function 1155 has a function for allowing the cryptographic package management unit 1166 and the cryptographic hardware management control unit 1170 to communicate with each other communication device or cryptographic hardware.

  FIG. 12 is a functional block diagram showing the configuration of the encryption management server device 1350. The cryptographic management server device 1350 includes a server host system unit 1380, a communication function 1356, a cryptographic management server control unit 1352, a cryptographic package storage unit 1355, and a server cryptographic control manager unit 1390.

  The server host system unit 1380 has the same function as the server host system unit 1380 of the encryption client device 1100, and also has a function of transmitting a control request from the system administrator regarding encryption management to the encryption management server control unit 1352.

  The communication function 1356 has a function for the encryption management server control unit 1352 and the server encryption control manager unit 1390 to communicate with each other communication device, encryption hardware, or a simulator simulating the operation of encryption hardware.

  The cryptographic management server control unit 1352 includes a cryptographic package control unit 1359, a cryptographic package management unit 1351, a cryptographic package distribution configuration unit 1370, and a distributed cryptographic package selection unit 1373.

  The cryptographic package control unit 1359 has a function of registering a cryptographic package 307 according to a request from the server host system unit 1380, a function of updating a cryptographic package already registered by a request from the server host system unit 1380, and a cipher from the vendor. Combined cryptographic evaluation description by combining vendor verification certifier for verifying the source of the applicable cryptographic package when providing the package and multiple standalone cryptographic evaluation description sections or multiple composite cryptographic evaluation description sections A function for generating a part, a function for searching and obtaining a list of cryptographic packages 307 registered in the cryptographic module DB 1355, and a cryptographic module 308 and a related cryptographic package 307 according to a request from the server host system part 1380. With the ability to remove from And a function to output a log to the registration, updating, and deleting process that you made to the cryptographic package storage unit 1355.

  The cryptographic package management unit 1351 has a function for simultaneously processing control requests from a plurality of cryptographic client devices 1100 in parallel, initial registration processing, distribution processing, update processing, selection processing, update notification processing, and cryptographic management of the cryptographic package 307. A function for performing domain migration processing, a function for establishing a secure communication path between the cryptographic client apparatus 1100 and the cryptographic management server apparatus 1350, and a domain managed by the cryptographic management server apparatus 1350 It has a function for managing the status of the cryptographic client management apparatus, and a function for generating a log for the initial registration processing, distribution processing, update processing, selection processing, update notification processing, and cryptographic management domain migration processing of the cryptographic package 307.

  The cryptographic package distribution configuration unit 1370 has a function of acquiring the cryptographic package 307 selected by the distributed cryptographic package selection unit 1373 from the cryptographic module DB 1355, and the data of each description item stored in the cryptographic module DB 1355 is a cryptographic evaluation description format such as XML. And a function for requesting the server cryptographic control manager unit 1390 to generate a key in accordance with a designated security method for a key used in the security communication of the cryptographic package administration unit 1359, and a cryptographic client The encryption management server device 1350 according to the function of managing information related to the key based on the information including the ID of the device 1100 and the security method of the key, and the security level and security method defined in the distribution policy of the encryption management server device 1350 From the cryptographic class And a function of performing the security processing of data confidentiality and data authentication for the information to be transmitted to Ant device 1100.

  The distribution cipher package selection unit 1373 has a function of performing initial registration determination, encryption method selection and cipher package selection in the cipher package initial registration process, a function of performing distribution determination and cipher package selection in the cipher package distribution process, and a cipher package A function for performing distribution determination in the update process, a function for acquiring an updated cipher list and selecting a cryptographic package in the cryptographic package update process, a function for performing selection determination and cryptographic package selection in the cryptographic package selection process, and a cryptographic management domain migration process And a function for searching for a cryptographic package satisfying a selection condition, a selection policy, and a hardware policy from a cryptographic package storage unit.

  The cryptographic module DB 1355 includes a cryptographic module DB 1353 that records and manages the registered cryptographic module 308 and a cryptographic evaluation DB 1354 that records and manages the cryptographic evaluation description file 309.

  The server cryptographic control manager unit 1390 has the same function as the cryptographic control manager unit 1152 of the cryptographic client device 1100, and in addition to the cryptographic management server control unit 1352, the cryptographic asset management control and other communication devices in the cryptographic management server device 1350 It has a function to perform cryptographic authentication communication with.

Here, according to the second reference example of the present invention, the cryptographic processing control unit 1156 searches the cryptographic client apparatus 1100 for the cryptographic processing request from the higher-level system unit 1151, searches for the optimal cryptographic module, and executes the cryptographic processing. The cryptographic processing operation for outputting the cryptographic processing result to the upper system unit 1151 is shown. FIG. 27 is a diagram showing an example of cryptographic processing operation of the cryptographic client apparatus according to the second reference example of the present invention. FIG. 28 is a diagram illustrating an example of an encryption processing flow of the encryption client device according to the second reference example .

Processing operations of the cryptographic control manager unit 1152 and the cryptographic implementation unit 1153 in response to a cryptographic processing request from the higher system unit 1151 in the cryptographic client device 1100 according to the reference example of the present invention are shown below. The host system unit 1151 requests the cryptographic processing control unit 1156 to perform cryptographic processing with the cryptographic processing request information including the data subject to cryptographic processing and the identifier of the cryptographic processing category as input (step S41).

  The cryptographic processing control unit 1156 reads the optimal cryptographic module for the cryptographic processing request from the higher system unit 1151 from the selection DB 1601 (step S42). At this time, if there is no selection information for the optimum cryptographic module for the cryptographic processing request in the selection DB, an error is output to the higher-level system unit, and the processing is terminated (steps S43 and S50). When the selection information of the optimal cryptographic module exists, the cryptographic processing control unit 1156 reads key information corresponding to the cryptographic processing request from the higher system unit 1151 from the key information DB 1165 (step S44).

  If the selected cryptographic module does not exist in the cryptographic client apparatus 1100, an error is output to the upper system unit 1151, and the process is terminated (steps S45 and S51). When the selected cryptographic module is present in the cryptographic client apparatus 1100, the cryptographic processing control unit 1156 reads the cryptographic module link information and the cryptographic module information from the cryptographic module link DB and the cryptographic module DB, and the cryptographic module is installed in the cryptographic module mounting unit. 1153 is loaded into the memory.

  The cryptographic processing control unit 1156 inputs the key information and the cryptographic processing target data from the higher-level system unit to the cryptographic implementation unit 1153, and requests cryptographic processing (step S46). The cryptographic implementation unit 1153 outputs the cryptographic processing result for the cryptographic processing target data to the cryptographic processing control unit 1156 (step S47). The cryptographic processing control unit 1156 generates cryptographic processing condition information including the cryptographic processing identifier and records it in the cryptographic processing DB 1604 (step S48). The cryptographic processing control unit 1156 outputs the cryptographic processing result information including the cryptographic processing ID and the cryptographic processing result data for the cryptographic processing target data to the upper system unit 1151 (step S49).

  In step S43, when the selection information of the optimal cryptographic module corresponding to the cryptographic processing request does not exist in the selection DB, the cryptographic management server apparatus 1350 is requested to select the optimal cryptographic module without outputting an error to the upper system unit. Result information may be downloaded. Further, when the cryptographic module described in the selection result information does not exist in the cryptographic client apparatus 1100, the cryptographic management server apparatus 1350 transfers the cryptographic module to the cryptographic client apparatus 1100 without outputting an error to the upper system unit. You may download it.

The encryption client device 1100 registers the information that links the upper system request and the optimum cipher in the relation DB as follows, including the case where the selection information of the optimum cipher module for the cipher processing request does not exist in the selection DB. can do. This eliminates the need for connection to the encryption management server device 1350 to select the optimum encryption for the same encryption processing request from the host system. FIG. 29 shows an optimal cipher inquiry process according to the second reference example of the present invention. FIG. 30 shows an example of an optimal encryption inquiry processing flow according to the second reference example of the present invention.

  The host system unit 1151 requests the cryptographic package management unit 1166 to select a cryptographic module optimal for the selection condition including the category identification information (step S61). The cipher package management unit 1166 makes a cipher selection request to the cipher management server device 1350 using the communication function 1155 based on the cipher selection request information from the upper system unit 1151 (step S62). The encryption selection request includes, for example, information on the category identifier, the encryption module selection policy of the encryption client device 1100, and the hardware profile.

  The cryptographic package control unit 1351 receives the cryptographic selection request from the cryptographic client device 1100 through the communication function 1356 (step S63). The cryptographic package control unit 1351 inputs the category identifier, hardware profile, and selection policy information included in the cryptographic selection request to the distributed cryptographic package selection unit 1373, and requests selection of a cryptographic package that meets the conditions. (Step S64).

  The distribution cipher package selection unit 1373 selects a cipher package that meets the conditions while acquiring a necessary cipher evaluation description file from the cipher evaluation DB 1354, and outputs a list of identifiers of the selected cipher evaluation description file ( Step S65). When the number of output cryptographic evaluation description files is zero, the cryptographic package control unit 1351 uses the communication function 1356 to send a request for whether or not to send cryptographic containers according to the selection result. The data is transmitted to the client device 1100 (step S66).

  In response to the selection result notification from the cryptographic management server device 1350, the cryptographic package management unit 1166 makes a request for sending the cryptographic container according to the termination process or the selection result (step S67). When the cryptographic package control unit 1351 receives the cryptographic container sending request from the cryptographic client device 1100 via the communication function 1356, the cryptographic package control unit 1351 continues the next processing (step S68). The cryptographic package control unit 1351 receives the identifier of the cryptographic evaluation description file selected in step S65 as input, and sends the creation of the target cryptographic package to the cryptographic package distribution configuration unit 1370 (step S69).

  The cryptographic package distribution configuration unit 1370 acquires necessary information from the cryptographic evaluation DB 1354 and the cryptographic module DB 1353, creates cryptographic package information, and outputs the cryptographic package information to the cryptographic package control unit 1351 (step S70). The cryptographic package control unit 1351 creates a cryptographic container in which the security protection processing corresponding to the communication security level is performed on the cryptographic package information, and transmits the cryptographic package information to the cryptographic client device 1100 via the communication function 1356 (step S71). The cryptographic package management unit 1166 performs security protection cancellation or validity authentication according to the security level from the cryptographic container information, registers necessary information in the selection DB 1601 and the cryptographic module link DB 1602, and outputs the processing result to the higher system ( Step S72).

If the optimum cryptographic module does not exist in the cryptographic client apparatus 1100, including after registration of the selection results in the DB 1601 and the cryptographic module link DB 1602, the cryptographic module is assigned to the target cryptographic module in the cryptographic distribution processing as follows. Download from device 1350. The distribution operation of the cryptographic module according to the second reference example of the present invention is shown in FIG. Also, FIG. 32 shows an example of a cryptographic module distribution processing flow according to the second reference example of the present invention.

  The host system unit 1151 receives the information including the identifier of the cryptographic algorithm as an input, and requests the cryptographic package management unit 1166 to send a cryptographic module distribution request (step S81). The cryptographic package management unit 1166 makes a cryptographic selection request to the cryptographic management server device 1350 using the communication function 1155 based on the cryptographic package distribution request information from the higher system unit 1151 (step S82).

  The cryptographic distribution request includes, for example, an identifier of a cryptographic algorithm, a cryptographic module selection policy of the cryptographic client device 1100, and information on a hardware profile. The cryptographic package control unit 1351 receives the cryptographic distribution request from the cryptographic client device 1100 through the communication function 1356 (step S83). The cryptographic package control unit 1351 inputs the cryptographic algorithm identifier, hardware profile, and selection policy information included in the cryptographic distribution request to the distribution cryptographic package selection unit 1373, and selects a cryptographic package that matches the distribution request. Request (step S84).

  The distribution cipher package selection unit 1373 obtains the necessary cipher evaluation description file from the cipher evaluation DB 1354 based on the distribution request request information including the hardware profile of the cipher client device 1100 and the selection policy, and the cipher that matches the condition is obtained. The package is selected, and a list of identifiers of the selected cryptographic evaluation description file is output (step S85).

  Using the communication function 1356, the cryptographic package control unit 1351 uses the communication function 1356 to terminate the request when the number of output cryptographic evaluation description files is 0, and when it is not 0, the request for whether or not the cryptographic package is sent according to the distribution evaluation result. The data is transmitted to the encryption client device 1100 (step S86). In response to the distribution evaluation result notification from the encryption management server device 1350, the encryption package management unit 1166 makes a request for sending the encryption container according to the termination process or the selection result (step S87).

  When the cryptographic package control unit 1351 receives the cryptographic package sending request from the cryptographic client device 1100 via the communication function 1356, the cryptographic package control unit 1351 continues the next processing (step S88). The cryptographic package control unit 1351 receives the identifier of the cryptographic evaluation description file selected in step 85 as input and sends the creation of the target cryptographic package to the cryptographic package distribution configuration unit 1370 (step S89).

  The cryptographic package distribution configuration unit 1370 acquires necessary information from the cryptographic evaluation DB 1354 and the cryptographic module DB 1353, creates cryptographic package information, and outputs the cryptographic package information to the cryptographic package control unit 1351 (step S90). The cryptographic package control unit 1351 creates cryptographic package information that has been subjected to security protection processing corresponding to the communication security level, and transmits the cryptographic package information to the cryptographic client device 1100 via the communication function 1356 (step S91).

  In the security protection processing, the MAC may be assigned to the encryption package, or the encryption package may be encrypted and transmitted, and the request decryption function of the encryption hardware 450 may be used. The cryptographic package management unit 1166 performs security protection cancellation or validity authentication according to the security level from the cryptographic package information, registers necessary information in the cryptographic module DB 1603, and outputs the processing result to the higher system (step S92).

  The cryptographic container is a distribution data string including header information and data obtained by performing security protection processing on cryptographic content such as information on cryptographic evaluation description files and cryptographic modules sent from the cryptographic management server device 1350 to the cryptographic client device 1100. The security protection processing includes means such as encryption of encrypted content, header information and MAC (Message Authentication Code) assignment for the encrypted content, and header information and MAC assignment for the encrypted content. Here, it may be a form in which header information is added to the encrypted content itself without performing any security protection processing.

  The encryption hardware 450 may store the encryption key used for the security protection process or execute the security protection process itself. For example, there is an implementation in which the cryptographic hardware management control unit 1170 inputs encrypted content that has been encrypted to the cryptographic hardware 450, executes decryption processing inside the cryptographic hardware 450, and acquires the decrypted encrypted content that is output. The header information of the cryptographic container is, for example, the type of encrypted content, the number of cryptographic modules to be transmitted, and the transmission data size.

<First embodiment>
Next, in the above-described system, when a defect is found in the software module used on the terminal side, a system that provides another software module until an alternative software module is completed will be described.

According to the first embodiment, it is possible to update such encryption module 308 and cryptographic package 307 carried out in the first reference example and the second reference example, to process more safely. The update target according to the present embodiment is not limited to the cryptographic package 307, and can be used for update processing of any software module. In other words, if a vulnerability such as a vulnerability is detected in a software module that is already being executed or used in a computing device, the software module can be provided by distributing and providing a corrected version of the module. It may not be the cryptographic module 308 or the like.

The first embodiment is an embodiment in which a software module that can obtain a better determination than a software module in which a defect is found in the function of selecting a software module to be used is distributed together with its evaluation index. As a result, it is possible to prevent an attack using the defect by stopping the use of the software module while concealing which software module the defect has been discovered.

  FIG. 13 is a diagram showing a configuration of the software module management apparatus 301 in the present embodiment. The software module management apparatus 301 includes a storage unit 310, a first distribution unit 311, and a second distribution unit 312.

  The storage unit 310 stores, for example, a software module A, a software module B having the same function as the software module A, and evaluation indexes corresponding to them.

  For example, when a defect occurs in the software module, the first distribution unit 311 transmits the substitute module of the software module to the computing device 100 that uses the software module, and the software module of the computing device 100 is transmitted. Switch.

  In addition, the second distribution unit 312 transmits, for example, a modified version of the software module in which the malfunction occurs to the computing device 100 that is using the alternative module, and switches the software module of the computing device 100.

  Next, a schematic configuration of functional modules of the computing device 100 in the present embodiment is shown in FIG. The computing device 100 includes a central processing unit 101, a storage device 102, an operating system module 103, a module selection module 104, an updatable software module 105, a network connection unit 106, and a module selection policy storage unit 110. Each of which is connected by a logical bus 107. The updatable software module 105 represents a plurality of software modules. The network connection unit 106 is connected to the network 108. The module selection module 104 refers to the selection criteria stored in the module selection policy storage unit 110 and selects an appropriate software module 105 that matches the intended application. The selection criterion is, for example, information in which a lower limit and an upper limit are specified for one or more items such as the amount of resource used and the processing speed.

  The module selection module 104 reads the selection criterion information from the module selection policy storage unit 110, compares the selection criterion information with the evaluation index included in the updatable software module 203, and satisfies the selection criterion information. An executable software module 201 corresponding to is detected.

  A schematic configuration of the updatable software module distributed in the present embodiment is shown in FIG. The updatable software module 203 to be distributed includes an executable software module 201 and an evaluation index 202. The evaluation index 202 is information in which evaluation information of the corresponding software module 201 is stored. For example, the evaluation index 202 is a data file in which evaluation information is expressed in an XML format. The evaluation index 202 stores information such as a used resource amount 211, a processing speed 212, a processing content 213, a usage 214, and a usage period 215, which are indexes that can be used for evaluation. Further, the evaluation index 202 may store identification information of the corresponding executable software module 201.

  The used resource amount 211 is information obtained by quantifying resource information such as a required memory amount when the corresponding executable software module 201 operates. The processing speed 212 is, for example, information obtained by quantifying the calculation amount when the corresponding executable software module 201 operates. The processing content 213 is information indicating the operation processing content of the algorithm of the executable software module 201, for example. The usage 214 may be, for example, identification information of a category in which the processing usage of the corresponding executable software module 201 is predetermined. The usage period 215 is information indicating the usage guarantee period of the corresponding executable software module 201, for example.

  Note that the information included in the evaluation index 202 is an example, and the content is not limited as long as it is an index that can be used for evaluation. The evaluation index 202 is used based on the module selection module 104 and the executable software module 201.

  A typical hardware configuration example of the computing device according to the embodiment of the present invention is shown in FIG. In the computing device 400, the ROM 401, the RAM 402, and the rewritable nonvolatile memory 403 are mutually connected to the CPU 404 via the bus 406. The bus 406 is connected to the external storage device 407, the storage medium reading device 408, and the network interface 410 via the I / O 405. A storage medium 409 located outside the computing device can be read by a storage medium reading device 408. The network interface 410 can be connected to a network 411 located outside the computing device.

  FIG. 16 shows a schematic configuration of distribution of updatable software modules in the embodiment of the present invention. The software module management apparatus 301 distributes the software module 320 to a plurality of computing devices 303, computing devices 304, and computing devices 305 via the network 302. The software module 320 distributed via the network 302 may be protected and concealed by a conventional technique such as encryption or electronic signature as necessary. In the present embodiment, the distributed software module 320 may be any one of the executable software module 201 and the evaluation index 202 in FIG.

  Further, in the present embodiment, the distribution via the network 302 is exemplified, but the present invention is not limited to this example. If the software module 320 is distributed, it can be easily analogized by those skilled in the art that the same purpose can be achieved with any form of storage medium or input device.

  Prior to the description of the operation example of the present embodiment, FIG. 18 shows an operation example of the distribution and start of use of the modified software module according to the prior art in time series. The passage of time 500 flows from left to right in the figure. That is, the left end corresponds to a past time point, and the right end corresponds to a current time point and a future time point. If a defect of the software module is found in step S501, the developer of the software module starts correction module development in step S502, and starts distribution of the correction module in step S503. The attacker who uses the defect obtains the corrected software module whose distribution is started in step S503, and starts analysis of the correction contents in step S504. Thereafter, the attacker uses the analysis result to start an attack using the defect in step S505. If it is assumed in step S506 that the use of the correction module started to be distributed in step S503 is started in a certain computing device, the period between step S505 and step S506 is a vulnerability period, and the contents of the defect correction are related. This is the period when you can attack.

  FIG. 19 shows an operation example of distribution and start of use of the modified software module according to the present embodiment in time series. The passage of time 600 flows from left to right in the figure.

  For example, it is assumed that the software module A included in the updatable software module 105 of the computing device 303 that is in an executable state is being executed. When a malfunction of the software module A is found in step S601, for example, the vendor that provides the software module A starts development of the software module A ′ that is a correction module of the software module A (step S602).

  The first distribution unit 311 of the software module management apparatus 301 is a software module that is a substitute module for the software module A and is stored in advance in the storage unit 310 in step S603, which is a time point after step S601. Distribution of B is started. Here, the software module B has the same function as the software module A, but is a module in which a different algorithm is mounted. In other words, the first distribution unit 311 distributes the software module B, which is an alternative module, to the computing device 100 that uses the software module A that has been found to be defective. An alternative module switching command that is a command to switch to is transmitted.

  The central processing unit 101 of the computing device 100 receives the software module B, which is an alternative module, and an alternative module switching command via the network connection unit 106. Then, the module selection module 104 stored in advance in the computing device 100 switches the software module A being executed to the software module B. Here, “switching” means, for example, that the function service provided by the software module A is provided by the software module B. Specifically, the execution file that executes the calculation of the function service And the like, and further, for example, restarting the function service to reconstruct the cooperative relationship between the software modules.

  When the vendor completes the development of the software module A ′, which is a correction module, and stores the software module A ′ in the storage device 310 (step S604), the second distribution unit 312 starts distributing the software module A ′. (Step S605). That is, the second distribution unit 312 transmits the software module A ′ and the correction module switching command to the computing device 100. When the computing device 100 receives the software module A ′ and the modification module switching command, the module selection module 104 switches the software module B being executed to the software module A ′ (steps S606 and S607).

  In this way, in step S603 and subsequent steps when the replacement module is started to be distributed, the use of the software module including a defect that has been conventionally used is stopped. In addition, unlike the correction module distribution in step S503 according to the conventional technique shown in FIG. 18, the substitute module distributed in step S603 does not include the contents of the defect correction, and therefore gives the attacker a clue about the defect. This has the effect of eliminating the danger of being lost.

  Note that although the distribution start of the alternative module (step S603) is later than the time when the defect is found (step S601), the process of S603 may be performed before the time of S601. Specifically, by distributing an alternative module to the computing device 100 in advance, an emergency situation can be avoided by making the alternative module available immediately in the event of a malfunction. .

<Second Embodiment>
In the second embodiment, the module selection module 104 of the computing device 100 has a function of selecting an updatable software module to be executed from the updatable software module 105 to be used. This is a method of distributing an updated module selection policy so that a software module that does not include the above-described defects can obtain a superior determination. When the network connection unit 106 of the computing device 100 receives the new module selection policy, the central processing unit 101 stores the new module selection policy in the module selection policy storage unit 110. Then, the module selection module 104 reselects the software module being executed by the updatable software module 105 according to the new module selection policy, and puts the selected software module into the execution state.

  In this way, there is an effect of preventing an attack using the defect by stopping the use of the software module while keeping secret as to which software module the defect is discovered as a result.

  In the embodiment of the present invention, the software module 320 in FIG. 16 includes a module selection policy. The module selection policy is distributed from the software module management apparatus 301 to the computing devices 303, 304, and 305 via the network 302. Then, the distributed module selection policy is stored in the module selection policy storage unit 110 of the computing device 100 shown in FIG. In the new module selection policy, it is assumed that conditions that are stricter than those of the evaluation index 202 corresponding to the software module whose defect is found in step S601 are set. In other words, if “100 KB” is set in the used resource amount 211 of the software module whose trouble has been found out, a new module selection policy including “the used resource amount is smaller than 100 KB” as condition information is distributed. . Then, if the module selection module 104 updates the software module operating with the software module 105 that can be updated according to the new module selection policy to a new software module, a software module other than the software module that has been found to be defective is selected, and the execution state become.

  In this way, instead of one or more software modules including software modules whose use is to be stopped due to a defect, an adjustment is made so that, for example, an old version of a software module that has not been stored in a computing device is selected. The evaluation index 202 of the content thus obtained is included.

  In this embodiment, the operator is used as a selection criterion by distributing or updating an evaluation index with a fixed expiration date regularly or irregularly, even if no defect is found. Distribution of evaluation indices makes it difficult to infer the occurrence of defects, and the safety of the entire system can be improved.

< Third Embodiment>
In the first and second embodiments, the third embodiment notifies each computing device from the server that the use of the alternative module has ended.

  Accordingly, the usage period of the alternative module can be terminated at an arbitrary timing, and the use start time of the correction module can be arbitrarily selected in consideration of the distribution of the correction module and the application completion status.

< Fourth Embodiment>
In the fourth embodiment, in the function of selecting a software module to be used, the software module of the selection function is selected so that a software module that does not include a defect is superior to the software module in which the defect is found. How to change. As a result, there is an effect of preventing an attack using the defect by stopping the use of the software module while concealing which software module the defect has been discovered.

  In the embodiment of the present invention, the selection function software module 320 in FIG. 16 includes the module selection module 104, and the module selection module 104 is distributed from the server 301 to the computing devices 303, 304, and 305 via the network 302. Is done. In the computing device shown in FIG. 14, the selection module 104 is updated with the new selection module distributed.

  The new module is not one or more software modules including the software module whose use is to be stopped due to a defect, but selects a software module that does not include a defect that has been stored in a computing device, for example, an old version.

  In the embodiment of the present invention, even if no failure is found, the operator makes an analogy to the occurrence of a failure by updating the selection module by regularly or irregularly updating the selection module. It becomes difficult to improve the safety of the entire system.

< Fifth Embodiment>
In the fifth embodiment, as an embodiment of the present invention, a software module to be updated is limited to a cryptographic processing software module. There are a number of algorithms for encryption processing that are intended to conceal data or guarantee integrity by electronic signatures, and can be arbitrarily selected. When an algorithm itself is compromised rather than a problem in implementation with respect to a certain algorithm, each of the first to fourth embodiments has an effect of improving the safety of the system.

  As described above, according to the present invention, computing that has not yet been applied with a new software module using information obtained from a new software module that corrects a defect, which has been a problem in the conventional technique, has been described. It is possible to reduce the threat of attacks that exploit device defects.

The present invention also provides software of a plurality of vendors that provide the same function when a software module for the same function is supplied from a plurality of vendors and a defect is found in the software module of a certain vendor. Distribute software modules that replace the modules. In the device to be used, the software module corresponding to the target function is selected by the software module selection function. In the second embodiment, a software module adjusted so that an index serving as a selection criterion is superior to a conventional software module is distributed. Another embodiment distributes instructions to change the criteria of the selection method, and the newly distributed software module replaces the traditional software module. In any embodiment, the operator or software module developer distributes and activates the software module that corrects the defect after the appropriate distribution period has elapsed and the replacement software module has been properly distributed to the computing device. Turn into.

The reference examples and embodiments described above are merely given as typical examples, and variations and variations thereof will be apparent to those skilled in the art. Those skilled in the art will understand the principles of the present invention and the invention described in the claims. It will be apparent that various modifications of the above-described embodiments can be made without departing from the scope.

In the above-described reference examples and embodiments, description has been made with a computing device that can be connected to a network. However, the present invention is not limited to personal computers, tablet computers, notebook computers, personal digital assistants, only computers and mainframe computers, portable computers. It can be implemented for the distribution of software modules in many types of computers, computing devices, or computing systems, such as telephones, wireless communication devices, or hybrid computing devices that combine mobile phones and personal digital assistants.

The reference examples and embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the reference examples and embodiments, and the design does not depart from the gist of the present invention. Etc. are also included.

  Note that a program for realizing the function of the processing unit in the present invention is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system and executed to distribute software modules. May be performed. Here, the “computer system” includes an OS and hardware such as peripheral devices. The “computer system” includes a WWW system having a homepage providing environment (or display environment). The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, what is called a difference file (difference program) may be sufficient.

  The present invention makes it possible to provide a software module distribution and update system that reduces the threat of misuse of software module defects and improves safety in a computer device that performs updates to correct the defects of software modules. .

  DESCRIPTION OF SYMBOLS 100 ... Computing device 101 ... Central processing unit 102 ... Storage device 103 ... Operating system module 104 ... Selection function module 105 ... Updateable software module 106 ... Network connection part 108 ... Network 110 ... Selection Reference storage unit 111 ... Network 150 ... Cryptographic client device 151 ... High-level system unit 152 ... Cryptographic control manager unit 153 ... Cryptographic implementation unit 154 ... Cryptographic implementation I / F unit 155 ... Communication function 156 ... Cryptography Processing control unit, 157 ... Encryption processing information DB, 158 ... Encryption module selection policy, 159 ... Encryption module selection unit, 160 ... Hardware profile, 161 ... Access control policy, 162 ... Key information management unit, 163 ... Encryption evaluation DB, 164 ... Cryptography Joule DB, 165 ... Key information DB, 166 ... Cryptographic management unit, 167 ... Cryptographic control manager policy, 168 ... Algorithm negotiation unit, 169 ... Secure communication management unit, 170 ... Cryptographic hardware management control unit, 201 ... Executable software Module, 202 ... Evaluation index, 203 ... Updatable software module, 211 ... Resource amount used, 212 ... Processing speed, 213 ... Processing content, 214 ... Usage, 215 ... Usage period, 301 ... Software module management device, 302 ... Network 303 ... Computing device 304 ... Computing device 305 ... Computing device 307 ... Cryptographic package 308 ... Cryptographic module 309 ... Cryptographic evaluation description file 310 ... Storage unit 311 ... First Distribution unit, 312 ... second distribution unit, 320 ... software module, 350 ... encryption management server device, 351 ... encryption management unit, 352 ... encryption distribution unit, 353 ... encryption module DB, 354 ... encryption evaluation DB, 355 ... encryption Registration unit, 356... Communication function, 357... Cryptographic package registration unit, 358... Composite type description generation unit, 359... Cryptographic package distribution control unit, 360. Policy: 450 ... Cryptographic hardware unit, 1100 ... Cryptographic client device, 1151 ... Higher system unit, 1152 ... Cryptographic control manager unit, 1153 ... Cryptographic implementation unit, 1155 ... Communication function, 1156 ... Cryptographic processing control unit, 1158 ... Selection policy 1160: Hardware profile 1162: Key management unit 116 5 ... Key information DB, 1166 ... Cryptographic package management unit, 1170 ... Cryptographic hardware management control unit, 1350 ... Cryptographic management server device, 1351 ... Cryptographic package management unit, 1352 ... Cryptographic management server control unit, 1353 ... Cryptographic module DB, 1354 ... Encryption evaluation DB, 1355 ... Encryption package storage unit, 1356 ... Communication function, 1359 ... Encryption package administration unit, 1370 ... Encryption package distribution component, 1371 ... Distribution policy, 1372 ... Domain information, 1373 ... Distribution encryption package selection unit , 1380: Server upper system unit, 1390: Server cryptographic control manager unit, 1450 ... Cryptographic hardware, 1600 ... Cryptographic information storage unit, 1601 ... Selection DB, 1602 ... Cryptographic module link DB, 1603 ... Cryptographic module DB, 1604 ... Cryptographic Process D .

Claims (6)

In a terminal device in which a software package including a software module having a function of performing cryptographic processing and a cryptographic evaluation description file is distributed in advance, a first selected based on the cryptographic evaluation description file in response to a cryptographic processing request from a higher system a software module management apparatus for managing the software modules in the case of changing the first software module operating in the terminal device a first software module to the second software module,
A storage unit for storing a third software module different from the first software module and the second software module;
The third software module stored in the storage unit can be read, and the read third software module can be distributed to the terminal device and used by switching from the first software module to the third software module. A first distribution unit to be in a state;
A second distribution unit that distributes the second software module to the terminal device, and switches the third software module to the second software module to be usable;
I have a,
The third software module is an alternative module having a function similar to that of the first software module but having a different implementation . A software module management device for managing an alternative software module when changing a first software module operating in a terminal device to a second software module,
When each software module has an evaluation index including at least one of a processing resource amount and a processing speed, a storage unit that stores selection criterion information indicating a criterion for selecting the alternative software module;
The selection criterion information stored in the storage unit is read out, and the read selection criterion information is distributed to the terminal device, and a first alternative software module is selected based on the evaluation index that satisfies the selection criterion information . A distribution department;
A second distribution section to said second software module is distributed to the terminal device, ready the operation let switched on before hexene-option by alternative software modules second software module,
I have a,
The software module management apparatus, wherein the software module management device is a software module management module having a function similar to that of the first software module but having a different implementation . The second delivery unit, after delivering the second software module, according to claim 2, characterized in that to terminate the use of alternative software modules that use next to the first software module Software module management device. The software module management apparatus according to claim 2, wherein each software module has a function of performing cryptographic processing. In a terminal device in which a software package including a software module having a function of performing cryptographic processing and a cryptographic evaluation description file is distributed in advance, a first selected based on the cryptographic evaluation description file in response to a cryptographic processing request from a higher system said first software module operating in the terminal device a piece of software modules in the computer is a software module managing apparatus for managing the software modules in the case of changing the second software module,
A storage function for functioning as a storage unit for storing a third software module different from the first software module and the second software module;
The third software module stored in the storage unit can be read, and the read third software module can be distributed to the terminal device and used by switching from the first software module to the third software module. A first distribution function to make a state;
A second distribution function for distributing the second software module to the terminal device and switching the third software module to the second software module to be usable;
To achieve,
The third software module is a software module management program which is an alternative module having the same function as the first software module but having a different implementation . In a computer which is a software module management device for managing an alternative software module when changing the first software module operating in the terminal device to the second software module,
When each software module has an evaluation index including at least one of a processing resource amount and a processing speed, it functions as a storage unit that stores selection criterion information indicating a criterion for selecting the alternative software module Memory function
The selection criterion information stored in the storage unit is read out, and the read selection criterion information is distributed to the terminal device, and a first alternative software module is selected based on the evaluation index that satisfies the selection criterion information . Distribution function,
Delivering said second software module into the terminal device, and before hexene-option by alternative software modules second delivery function to ready the operation allowed switched to the second software module,
To achieve,
The alternative software module is a software module management program which is an alternative module having the same function as that of the first software module, but having a different implementation .

Images